ResRepFilter.java example

Explorer
coprhd-controller-master
/*
 * Copyright (c) 2008-2013 EMC Corporation
 * All Rights Reserved
 */

package com.emc.storageos.api.service.impl.response;

import java.net.URI;
import java.util.HashSet;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.emc.storageos.api.service.authorization.PermissionsHelper;
import com.emc.storageos.api.service.impl.resource.ArgValidator;
import com.emc.storageos.db.client.model.VirtualArray;
import com.emc.storageos.db.client.model.ComputeVirtualPool;
import com.emc.storageos.db.client.model.VirtualPool;
import com.emc.storageos.model.RelatedResourceRep;
import com.emc.storageos.security.authentication.StorageOSUser;
import com.emc.storageos.security.authorization.ACL;
import com.emc.storageos.security.authorization.Role;

/*  
 * Base class of resource reprensentation filter
 * Used by search for now
 */
public abstract class ResRepFilter<E extends RelatedResourceRep> {
    private static final Logger _log = LoggerFactory.getLogger(ResRepFilter.class);

    protected PermissionsHelper _permissionsHelper;
    protected StorageOSUser _user;

    public static class ResourceFilteringCache {
        public HashSet<URI> _accessibleParentResources = new HashSet<URI>();
        public HashSet<URI> _nonAccessibleParentResources = new HashSet<URI>();
    }

    private final ResourceFilteringCache _cache = new ResourceFilteringCache();

    protected ResRepFilter(StorageOSUser user,
            PermissionsHelper permissionsHelper) {
        _user = user;
        _permissionsHelper = permissionsHelper;
    }

    /**
     * verify whether the user in the filter has access to the resource
     * 
     * @param relatedResourceRep the resource to be checked upon.
     * @return true if user can access the resource.
     */
    public abstract boolean isAccessible(E relatedResourceRep);

    /**
     * verify whether the user in the filter has access to tenant
     * 
     * @param tenant the tenant to be checked upon.
     * @return true if user can access the tenant.
     */
    public boolean isTenantAccessible(URI tenant) {
        ArgValidator.checkFieldNotNull(tenant, "tenant");
        if (tenant == null) {
            return false;
        }

        // refine cache later
        if (_cache._accessibleParentResources.contains(tenant)) {
            return true;
        }
        if (_cache._nonAccessibleParentResources.contains(tenant)) {
            return false;
        }

        boolean ret =
                _permissionsHelper.userHasGivenRole(
                        _user, tenant, Role.TENANT_ADMIN);
        if (ret) {
            _cache._accessibleParentResources.add(tenant);
            _log.info("user {} has TENANT_ADMIN role for tenant {}.",
                    _user.toString(), tenant.toString());
        } else {
            _cache._nonAccessibleParentResources.add(tenant);
            _log.info("user {} has not TENANT_ADMIN role for tenant {}.",
                    _user.toString(), tenant.toString());
        }
        return ret;
    }

    /**
     * verify whether the user in the filter has access to the project
     * 
     * @param project the project to be checked upon.
     * @return true if user can access the project.
     */
    public boolean isProjectAccessible(URI project) {
        if (project == null) {
            return false;
        }

        if (_cache._accessibleParentResources.contains(project)) {
            return true;
        }
        if (_cache._nonAccessibleParentResources.contains(project)) {
            return false;
        }

        boolean ret = _permissionsHelper.userHasGivenACL(
                _user, project, ACL.ANY);
        if (ret) {
            _cache._accessibleParentResources.add(project);
            _log.info("user {} has ACL.ANY for project {}.",
                    _user.toString(), project.toString());
        } else {
            _cache._nonAccessibleParentResources.add(project);
            _log.info("user {} has not ACL.ANY for project {}.",
                    _user.toString(), project.toString());
        }
        return ret;
    }

    /**
     * verify whether the user in the filter has access to the vpool
     * based on resource ACL
     * 
     * @return true if user can access the resource.
     */
    public boolean isVirtualPoolAccessible(VirtualPool resource) {
        return _permissionsHelper.tenantHasUsageACL(
                URI.create(_user.getTenantId()), resource);
    }

    /**
     * verify whether the user in the filter has access to the computeVirtualpool
     * based on resource ACL
     * 
     * @return true if user can access the resource.
     */
    public boolean isComputeVirtualPoolAccessible(ComputeVirtualPool resource) {
        return _permissionsHelper.tenantHasUsageACL(
                URI.create(_user.getTenantId()), resource);
    }

    /**
     * verify whether the user in the filter has access to the neighbor
     * based on resource ACL
     * 
     * @return true if user can access the resource.
     */
    public boolean isVirtualArrayAccessible(VirtualArray resource) {
        return _permissionsHelper.tenantHasUsageACL(
                URI.create(_user.getTenantId()), resource);
    }

    protected boolean isSystemAdmin() {
        return _permissionsHelper.userHasGivenRole(
                _user, null, Role.SYSTEM_ADMIN);
    }

    protected boolean isRestrictedSystemAdmin() {
        return _permissionsHelper.userHasGivenRole(_user, null, Role.RESTRICTED_SYSTEM_ADMIN);
    }

    protected boolean isSystemOrRestrictedSystemAdmin() {
        return isSystemAdmin() || isRestrictedSystemAdmin();
    }

    protected boolean isSecurityAdmin() {
        return _permissionsHelper.userHasGivenRole(_user, null, Role.SECURITY_ADMIN);
    }
}